CVE-2025-14350 MEDIUM

CVE-2025-14350: Information disclosure via channel mentions in posts

Vendor Mattermost
Product Mattermost
Weakness CWE-862 · Missing authorization
Published February 16, 2026
Last update February 17, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. Mattermost Advisory ID: MMSA-2025-00563

Key dates

02Disclosure timeline

February 16, 2026 CVE published
February 17, 2026 Record updated